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Agenda 

* WHY: Learn why we care about user agents (UAs) 

* HOW: Learn how to read a user-agent 

* HOW TO: (get it?) Learn how to use user-agents 
in our tools 
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What is a User-Agent? 

A user-agent is a string which lets websites 
know your: 

■ type of web-browser or application 

■ Operating System 

■ Security settings or permissions 

■ Versions of relevant programs (media, java, 
etc.) 

■ Etc. (Language settings, ad-ware) 
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Why would I want to give a 

website that? 

Compatibility 

Specific Website Features 
Security permissions 
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User-Agents Can 

* Link a target’s “selected” activity to their 
unselected web-browsing 

Create a tentative link between targets 
that have the same user-agent 

* Identify CNE opportunities 
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User-Agents Also 




Can vary from very unique to extremely 
common 



* Change with software updates 

• Only identify the web-browser 

■ 2 web-browsers = 2 user-agents 

Can’t be trusted... 

— 
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nonsense? 



started 



A History Lesson 
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The Great Browser Wars 

Back.. .in the 20 th Century! 



Before Now but After What is Below 
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Remember Frames? 



• Netscape’s new fancy web-browser 
support them! 



* The original “web-browser” Mosaic did not 






And so began browser “sniffing” 
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Worthless Trivia! 

* Mosaic was the first web-browser to 
embed images with text 

* It supported FTP, Usenet, and Gopher! 

* Its web-browser competitors at the time 
were Erwise and ViolaWWW 









■■ 
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The Great Internet Explorer 

Hoax 



Ever wonder why so many user agents 
start with “Mozilla” but aren’t Firefox? 
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Internet Explorer fools us all 

* When Internet Explorer was released it did 
frames too! 

* But since its user-agent didn’t say so, no 
websites would send their super cool 
frames version to the IE users 
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Internet Explorer starts to spoof 



• Internet Explorer changed its user agent 
starting their user agent with Mozilla/1 .22 

Mozilla/1 .22 (compatible; MSIE 2.0; Windows 
95) 
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And it continues to this very day. 
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Three Basic 
Pieces of the UA 
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Part 1 : The Netscape Historical Token 

•Appears in primarily Mozilla Firefox, Google Chrome, and MSIE browsers 
•Modern Version: Mozilla 4.0 or Mozilla 5.0 
•Does not indicate a target uses “Mozilla Firefox” 
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Part 2: The Web Browser Identifier 



•Appears in generally all user-agents 

•Not always in the same place, but usually self explanatory 
•Opera X.X = Opera 
•Firefox X.X = Fi refox 
•Safari X.X= Safari 

•Chrome X.X Safari X.X = Google Chrome 
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Part 3: The Operating System Token 

•Appears in basically all HTTP user-agent strings 
•Examples: 

•Windows NT 6.1 = Windows Version 7 
•Windows NT 6.0 = Windows Vista 
•Windows NT 5.2 = Windows XP 64bit 
•Windows NT 5.1 = Windows XP 



•Windows NT 4.0 actually equals Windows NT 4.0 
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Other operating systems IJAs 

* Mobile 

. MAC OS X 

■ Linux 

□ Linux i686 
i Free BSD 
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Game Consoles 

Opera/9.30 (Nintendo Wii; U; 2047-7; en) 
Mozilla/5.0 (Playstation 3; 2.00) 

PSP (PlayStation Portable); 2.00 
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Mobile User Agents 

* Usually self-explanatory 

■ Iphone 

■ I pad 

■ Blackberry 

■ Android 

Mobile user agents also usually give you 
the phone model (Read: IMEI correlation 
opportunities) 
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Ever wonder what that was? 

* Gecko: a rendering engine used by 

Firefox and others 
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AppleWebkit: Apple’s version of KHTML 
rendering engine used in Safari and 
Chrome most commonly 

* Presto : the “core” of the Opera platform 
suite 
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Ever Wonder Cootd. 

* .NET CLR is the .NET Framework version 

* SV1 is an artifact created by MSIE 6.0 to 
make its security better 

■ *" * . TMf jHf. THf - 1M[ JHCTU! ~f4 "l hi ^'~-f ld C~ ~J* ■ v > • -•* ^ f *' 

Win64 can indicate that the system is 
running a 64 bit processor 
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Ever Wonder... One more 

Many web browsers will also have an “encryption strength” marker 

U = USA (128 bit encryption) 

I = International (40 bit encryption) 

N = No encryption (Woo!) 

Most Browsers nowadays come with a U 

Since the USG no longer requires encryption changes for international 
usage. 
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Your target’s user-agents can shorten and 

lengthen! 

Each website may require different information 

Longer user-agents may have various rendering 
engine, java versions, and language settings 

If you see a shortened or longer version of a UA 
close to your targets logins. Check it out! Carefully.. 
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Querying in Xkeyscore 





Remember: 

Since Xkeyscore no longer supports 
leading wildcards you need to be specific 
with your User-Agent 

A User-agent alone is not a strong query 

Time Frame, Active IP, 

Country, etc. all will help make 
your query compliant 



IKE Parser 



Browser 

IWoziira (Windows; U; Windows NT 5.1; en-US) ApploWeDKil, 533.4 (KHTML, lihe Gecko) CliroiTieJ5 0.375.99 Safari; 533.4 
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Uniqueness - When to use a User-Agent 



i ■. c f. 1 u I l-j 



V I c vv 



II U ■_ I - .*■ I 



it 



if 






Browser 



Geo Info 



Mozilla.4.0 (compatible 


MSIE 6.0; Windows NT 5.1; SVI) 


IlccilhiJ.O (compatible 


MSIE 6.0; Windows NT 5.1; SV I) 


hlozilla.4.0 (compatible 


MSIE 6.0; Windows NT 5.1; SV I) 


McnilhiJ.O (compatible 


MSIE 6.0; Windows NT 5.1; SV I) 


hi ozilla. 4 . 0 (c om pat i 1 >le 


MSIE 6.0; Windows NT 5.1; SV I) 


Im1cnzIIIci74.cn (compatible 


MSIE 6.0; Windows NT 5.1; SV I) 


hi ozilla. 4 . 0 (c am pat i l 4e 


MSIE 7.0; Windows NT 5.1) 




M ozilla, ''4.0 (compatible; MSIE 7.0; Windows NT 5.1) 




Mozilla.4.0 (compatible; MSIE 7.0; Windows NT 5.1) 




Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5. 1) 


Mozilla.4.0 (compatible; MSIE 7.0; Windows NT 5. 1) 


Mozilla.4.0 (compatible; MSIE 7.0; Windows NT 5.1) 



zi Sort Ascending 
Sort Descending 

• 7 Fillers 

^ ColorBy 

Group By 



Histogram 



Pivot Data 



Histogram Grid 



l> 






b 

b 



ff Showj'Hide... 

\-f] AutoFit Column Width 



Results of an IP-based search for a target 



Histogram Grid 




H C 


Fage 


1 


of 1 


I ► j?| 


1 


Clear Selection Export 



1 1 L C I □ I UV70CI 



•> IJ Ul I L 



MozillaM 0 (compatible; MS IE 6.0; Windows NT 5.1 ; SV1) 



Low Number of users and 
traffic volume as well as only 
2 User-agents 



MozillaM 0 (compatible; MSIE 7.0; Windows NT 5.1) 



Verdict: Probably reliable 
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More User 



More Problems 



Browser 



Count 



Mozil 


1 a/4.0 (compatible 


M3IE 6.0 


Windows NT 5.1 


SV1) 


6 


Mozil 


1 a/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


SV1 ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.043; 


1 


Mozil 


1 a/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


SV1 ; .NET CLR 3.0.4506.21 52; .NET CLR 3.5.30729; 


1 


Mozil 


la/4.0 (compatible 


M8IE 6.0 


Windows NT 5.1 


SV1; GTB0.0; .NET CLR 2.0.50727; AskTBS.B) 


1 


Mozil 


1 a/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


SV1 ; GTE 6.6) 


1 


Mozil 


la/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


SV1 ; GTE 6.5, .NET CLR 2.0.50727) 


1 


Mozil 


la/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


S'v'1 ; GTE 6.5; lnfoFath.2) 


2 


Mozil 


1 a/4,0 (compatible 


MSIE 6.0 


Wind owe NT 5.1 


SV1 ; GTE6.5; lnfoFath.2; .NET CLR 2.0.50727; .NET ' 


1 


Mozil 


la/4.0 (compatible 


MSIE 6.0 


Windows NT 5.1 


SV1 ; Info path. 1 ; .NET CLR 2.0.50727; .NET CLR 3.0. 


1 


Mozil 


la/4.0 (compatible 


MSIE 6.0 


Windows NT 5.2 


SV1; .NET CLR 1.1. 4322) 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1) 


6 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


.NET CLR 1.1.4322) 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


F unWe b p rod u cts; As kTb ptv/s.e . 0.123 04) 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


CTB6; .NET CLR 1.1. 4322) 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


IEMB3; IEMB3) 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


Trident/4.0; .NET CLR 1 .1 .4322; .NET CLR 2.0.50727 


1 


Mozil 


la/4.0 (compatible 


MSIE 7.0 


Windows NT 5.1 


Trident/4.0; .NET CLR 1 .1 .4322; lnfoPath.2; .NET CLF 


2 




Reliability of correlating your target’s browser to his web-activity plummets due 
to User-agent variations and the threat of multiple users. 



At this point, cookie and TDI correlation are necessary. User-agents can not be 
used by themselves. 
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Common Sense Helps 

Never assume because a User-agent is 
complicated that it is unique 

* Example: 

* Mozilla 5.0 (Windows; U; Windows NT 6.1 ; en-US) 
AppleWebKit/534.3(KHTML, like Gecko) Chrome/6.0.464.0 
Safari/534.3 

* This is the standard user agent for EVERYONE with an updated 
Chrome browser using Windows 7. 
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Xkeyscore Storage 



Push to Pinwale 



or Archive Results 



Download St ^ wefts 

AGILITY-RealTime 

Agility 

DNI Presenter 
PINWALE 

PINWALE and Decrypt 
Download SOTF Session 
Download Session 
Download D124 Session 




finished 
Archive Results 

finished 
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Pinwale 

Fields to add to Metadata View 





Generally speaking, the User Agent listed belongs to the 
selector in the Active User column (if populated) 
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Add a User-Agent to a compliant 

query 

Fielded Search Form 



1 . Put in the User Agent that is being search for into the CQNTENT_META field under the fielded search form. 




Smart Form/ Native Query 



Native, cs=I503359_l [ (contentjeta=(((("Opera Mini")) between \<UserAgent and \/UserAgent ))) ) 



(c'9ntent_meta=((( ("Opera Mini")) between \<UserAgent and VUserAgent ))) 
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Not sure the specific User-Agent? 



1 Add the following syntax to your query: 

■ \TERH \<yourf ield. here [E.G. \TERH \<useragent ) 

2. Apply Native to the field 

3. Apply the contentjneta document zone to the field. 




(TS//SI//REL) This query basically ensures that a certain field exists in each result thus removing all the content not relevant to your query. 
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User-Agent Manipulation 

* The best for last 

■ User-agents can completely be changed or 
not included by the user! 

* By Firefox Plugin 

* By Browser settings (Opera) 

Outside programs (TOR Button) 

■ These programs allow users to have a 
different user agent for each session! 
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Questions?? 

■ Contact Info: @n$a.ic gov 

• Website on the High-Side: 



1/'jv<KaK 

* Mr W mP M ul 



OOOOCM 



r i 3° n > f ■fc' j--'' M HM M M 1 

wOmmovowoH 




LK 



KHKKKK3 



Ay-; 






/vi 




* Lots of great stuff in open source as well! 

"■ http://www-archive.mozi8la.org/build/yser-agents-strings.htnnl 
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Have a random SIGDEV question? 

Need help with a target using new tech to communicate? 

Need help developing an accurate collateral description of a 

technology? 

Want help developing Xkeyscore fingerprints for a weird target 

behavior? 
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